Things have slightly changed between releases of WAAD, so I thought I quickly document the steps how to add the GA version of WAAD as an identity provider to IdentityServer.

If we would support parsing WS-Federation metadata, this could be much simpler – but right now we don’t, so I show you the manual way (and a little ninja trick).

1) Add a new application to WAADAdd the application to your WAAD from the Azure portal.

2) Configure WS-FederationThe App ID is the IdentityServer’s Site ID (from the General tab in the admin area) and the reply URL is IdentityServer’s HRD endpoint.

3) Add WAAD to IdentityServerThis is the tricky part. All the information you need is in WAAD’s metadata. You can access the metadata from the application configuration/endpoints page in the Azure portal. The URL is something like:

In that document you can find two things – the WS-Federation endpoint URL and the signing key.

The ninja trick: You can copy and paste the X.509 certificate to a text editor and save it as a .cer file. Now you can double click it in Explorer and get the usual certificate view, from the details pane you can copy the thumbprint.

Enter these two value into IdentityServer’s identity provider configuration:

I am clearly not getting my thoughts across. Thank you for your patience. ACS allows you to download their providers listing page and customize it. The default page assumes HRD, so you are presented with an email address input that then forwards you to the appropriate IdP signin page. I’m looking for something similar with IdSrv. Can I retrieve a listing of providers from IdSrv so that I an do a lookup in a custom form and forward directly to the provider? Auth0’s service provides this same sort of thing in the headless version of their login widget (https://docs.auth0.com/webapi, see the JavaScript API sample).